[Bug]: exec-approvals: `ask: off` and `security: full` in exec-approvals.json not respected on Windows

[villegao31-ship-it]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

Setting ask: off / security: full in exec-approvals.json has no effect on Windows; every exec call returns exec denied: allowlist miss even after gateway restart.

Steps to reproduce

1. Edit ~/.openclaw/exec-approvals.json, add "ask": "off" and "security": "full" under agents.main
2. Run openclaw gateway restart
3. Agent exec call returns exec denied: allowlist miss
4. Tried openclaw approvals set --file <new-config.json> — config was accepted (Defaults: security=full, ask=off shown in output), but exec still denied

Expected behavior

Setting security: full and ask: off should bypass all exec approval checks. Agent should be able to run commands without approval prompts.

Actual behavior

Every exec call returns exec denied: allowlist miss regardless of ask or security settings in exec-approvals.json. The allowlist uses command hashes (=command:<hash>) that change with every slight variation, making allow-always effectively useless on Windows.

OpenClaw version

2026.4.1 (da64a97)

Operating system

Windows 11

Install method

npm global

Model

kimi

Provider / routing chain

openclaw -> kimi

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[steipete]

Closing this as implemented after Codex review.

Current main already addresses this path: host exec policy is now explicitly modeled as the merge/intersection of requested tools.exec.* policy and the host approvals file, the CLI reports that effective policy, and the docs/exec-policy flow tell users to set both layers (or use the YOLO preset) for no-prompt host exec.

What I checked:

• Runtime merges requested tool policy with host approvals: Gateway/node host exec does not treat exec-approvals.json as the only input. resolveExecHostApprovalContext(...) loads host approvals, then computes hostSecurity = minSecurity(requested, approvals.agent.security) and hostAsk = maxAsk(requested, approvals.agent.ask). (src/agents/bash-tools.exec-host-shared.ts:198)
• Effective-policy helper makes the intersection explicit: resolveExecPolicyScopeSnapshot(...) resolves the approvals file and then derives effectiveSecurity/effectiveAsk from both requested tools.exec.* values and the host approvals file. (src/infra/exec-approvals-effective.ts:229)
• CLI now reports the merged policy instead of only the host file: openclaw approvals get emits the note Effective exec policy is the host approvals file intersected with requested tools.exec policy.. (src/cli/exec-approvals-cli.ts:238)
• Docs now describe the two-layer requirement and the supported fix path: The exec-approvals docs say no-prompt host exec requires opening both layers: OpenClaw config (tools.exec.*) and the host-local approvals file, and document openclaw exec-policy preset yolo as the local shortcut. (docs/tools/exec-approvals.md:113)
• CLI docs explain that approvals set changes only the host file: The approvals CLI docs now state that changing the approvals file alone is not sufficient for YOLO mode and explicitly tell users to also set tools.exec.host/security/ask, or use openclaw exec-policy preset yolo. (docs/cli/approvals.md:126)
• Policy test covers the reported premise: The policy helper test asserts that with security: "full", an allowlist miss does not trigger approval (expected: false), which matches the intended current-main behavior rather than the reported Windows denial path. (src/infra/exec-approvals-policy.test.ts:153)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against ec3dbd22a4de.